Adding Registry File Evidence
Posted by Jack H. Ward, Last modified by Jack H. Ward on 29 January 2018 03:21 AM
Registry File Evidence is a link to a file in a binary hive format where the contents of the Windows registry is stored.

To add new registry file evidence to the case:

1. On the Evidence tab, in the Evidence group, click Add Evidence; or right-click the case node and select Add New Evidence; or click Add Evidence on the Welcome screen. (If you add evidence before creating or opening a new case, the case will be created automatically and saved to the default location. The name of the case file will be e3).

2.The Add New Evidence window opens.
3. Select the Registry evidence category and Registry file as its Source type.

4. In the standard Open window, navigate to the desired registry file. Click OK.
5. Enter the Evidence name (opened registry file name by default) and click OK.
6. The registry data is added to the case.
7. Registry keys and subkeys are displayed in the Case Content pane (to the left), key values and the subkeys of the selected key are displayed in the Data View pane (to the right).

The investigation of registry data evidence is possible with the following packages:

  • E3: Universal
  • E3: P2C.

 Adding Registry File Evidence.png (21.78 KB)
(0 vote(s))
Not helpful

Comments (0)